GISRA report finds information security woes

Many government agencies have pervasive problems with information security, including a lack of management attention, poor controls on contractors and inadequate monitoring of system activities, according to a new report by the Office of Management and Budget.

The Feb. 13 report is OMB's first to Congress as required under the Government Information Security Reform Act of 2000. The report identifies six problems:

*Lack of senior management attention to security;

*Inadequate accountability for job and program performance related to IT security;

*Weak or nonexistent security education;

*Poor integration of security projects into capital planning and investment control;

*Weak security controls for contractor services;

*Inadequate systems to test and monitor system activity.

The annual report is a benchmark against which OMB and the agencies will monitor their performance improvements, said Mark Forman, OMB's associate director for information technology and e-government.

OMB identified the six weaknesses in a review of more than 50 agency reports filed under GISRA. In the report, OMB wants agencies to:

*Greatly increase senior management's attention to security;

*Establish measures to evaluate the performance of officials with security responsibilities;

*Improve security education and awareness;

*Integrate security into the capital planning and investment control process;

*Ensure that contractor services are secure;

*Improve their ability to detect, report and share information on vulnerabilities.

Agencies have developed and begun implementing plans to fix security problems, as required by OMB guidance issued in October 2001, the report said.

The guidance directed agencies to report security costs for IT investments; document that security controls are incorporated into each IT investment; reflect the agency's security priorities as reported in their corrective action plans; and tie their corrective action plans for IT investments directly to their business cases for those investments.

"OMB has made it a policy to stop funding projects that do not adequately address security requirements and neglect to document how security planning and funding is integrated into the project's life cycle," the report states.

Almost 60 percent of agencies reported spending between 2.1 percent and 5.6 percent of their total IT investment on security. Five agencies said they spend between 7.3 percent and 17 percent, and five agencies reported expenditures between 1 percent and 2 percent.

The Bush administration's fiscal 2003 budget plan calls for spending $4.2 billion in on information security, up from $2.7 billion in 2002.

But Forman has cautioned against equating the amount of money spent with the quality of agency information security.

At a budget briefing with IT industry officials earlier this month, Forman said: "The vast majority of the agencies wanted more money, and got more money [for security]. That said, [a statistical analysis showed] the amount of money spent does not consistently determine how good a security program is. Money doesn't change the fact that the head of an agency is not focused on security."

Real improvement will result from significant attention to the six weaknesses OMB identified, the report said.

To improve oversight of security improvements, the report says OMB plans to:

*Consult with agencies on their progress;

*Incorporate security into the scorecard rating each agency on its progress toward meeting the president's government management goals;

*Encourage agency inspectors general to monitor security improvements;

*Assist agencies in developing management-level performance measures for security.